Good morning,
I have a router mikrotik RB951Ui-2HnD and I want to block some web site like facebook and youtube.
I have tried to use Layer 7 protocol and web proxy but it was not working. The users are still accessing the web site.
Can you help me please.

Post here your firewall config. You should block them just on layer 3.

You must off "FastTrack".
Better use option TLS HOST than L7 protocol. You must have ROS min. v. 6.41.1 to this.

Try this one:

/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube).*\$"

/ip firewall mangle
add action=mark-connection chain=prerouting protocol=udp dst-port=53 connection-mark=no-mark layer7-protocol=youtube new-connection-mark=youtube_conn passthrough=yes

add action=mark-packet chain=prerouting connectionmark=youtube_conn new-packet-mark=youtube_packet

/ip firewall filter
add action=drop chain=forward packet-mark=youtube_packet
add action=drop chain=input packet-mark=youtube_packet

I would just add all the facebook and youtube prefix list in the routing table with type unreachable, keeping fasttrack and call it a day.
But it seems a lot of youtube servers share the same subnet with google.com, so it's hard to do.

One way around is to block youtube and facebook domains in the mikrotik dns server, make static resolvers to 127.0.0.1. Then drop DNS queries out from your LAN on port 53 except the router it self, to avoid users using public dns servers. That should block most novice users from using youtube and facebook.

On my current router, which the microtik will replace, I found it very difficult to block anything with HttpS.
Does mikrotik handle blocking HTTPS sites with ease??

I would agree with WirtelPL:

Try using the TLS-Host option. It was introduced in RouterOS v. 6.41. It will also handle HTTPS.

Just an excerpt from the mikrotik newsletter Feb2018:

Since most of the internet now uses https, it has become much harder to filter specific web content. For this
reason, RouterOS 6.41 introduces a new firewall matcher which allows you to block https websites (TLS traffic)
based on the TLS SNI extension, called “TLS-HOST”. The new parameter supports glob-style patterns, which
should be enough for whatever you’re trying to match.
For example, to block example.com, you would use a rule like this:
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.example.com action=reject

Thanks a bunch az1984!
So the OP has many options in terms of
blocking by name and by TLS name
by IP and TLS IP

It sounds like if one had access to list of various names and a list of IPs used by facebook youtube,
one could put them in a single address list and then apply the TLS Rule to the LIST!!

Try this one:

/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube).*\$"

/ip firewall mangle
add action=mark-connection chain=prerouting protocol=udp dst-port=53 connection-mark=no-mark layer7-protocol=youtube new-connection-mark=youtube_conn passthrough=yes

add action=mark-packet chain=prerouting connectionmark=youtube_conn new-packet-mark=youtube_packet

/ip firewall filter
add action=drop chain=forward packet-mark=youtube_packet
add action=drop chain=input packet-mark=youtube_packet

i tried this and it blocks all traffic going out to my router...is there other ways to block site aside from this...thank in regards

Hello, May you help ?
My setup {hapac2 > SXT LTE > ISP} SXT does NAT for hapac2.
Your code works. Thank you.

Below shows traffic & marks connection,
add action=mark-connection chain=prerouting comment=youtube connection-mark=\
no-mark dst-port=53 layer7-protocol=youtube new-connection-mark=\
youtube_conn passthrough=yes protocol=udp

however (below) does nothing & does not work when inserted in your code.
add action=mark-connection chain=prerouting comment=youtube connection-mark=\
no-mark dst-port=53 layer7-protocol=youtube new-connection-mark=\
youtube_conn passthrough=yes protocol=udp src-address-list=tablets

A previous simple firewall rule for limiting internet access by time with the same "src-address-list=tablets" works fine.
I have tried placing the code in both the hapac2 & SXT & in both the mangle & fw rules but no success.